PC Plus HelpDesk - issue 222
|This month, Paul Grosse gives you more insight into
some of the topics dealt with in HelpDesk and HelpDesk
From the pages of HelpDesk, we look at:
- Being attacked by your DNS?
- Automatically downloading the web with wget.
From HelpDesk Extra, we look at Computer
- Thrown object ballistic flight computer
Being attacked by your DNS?
Unless somebody has actually managed to break into
your ISP's DNS and is using it to mount attacks on its
customer's, it is more likely that somebody is trying to
attack you directly. Why? Well, life it too short to be
everybody else's psychiatrist. But, this is how it is
done. Many (you might like to think of that as reading 'A
few') home users will have desktop firewalls on their
machines and some of these firewalls will be of the type
that will look at a port scan and decide at some stage of
the attack, that all traffic from that IP address is
hostile. If it does, the usual course of action is to
block that IP address so that the firewall can carry on
doing what it is supposed to do.
Many home users will log onto their ISP and get a
dynamically allocated IP address so if an attacker wants
to change IP address, all they have to do is log off and
then log on again (there are other ways of doing it but
that is the simplest in most cases - 'switch off, switch
on'). Recognising this, the firewalls will not (usually)
block a particular IP address for more than a certain
amount of time (say, 500 minutes, aka 8 or so hours).
This way, genuine users that have inherited a 'bad' IP
address, will not be blocked for ever which can only be a
good thing (it is conceivable that the attackers could
eventually write-off a whole IP address block if they
were labelled permanently).
|Any way. If someone, for some
reason best known to themselves (assuming that
they are not suffering from some sort of
psycho-pathological disorder), decided that they
were going to cause a little havoc by denying
users access to their ISP's DNS (thereby
precluding any web browsing of new sites) all
they have to do is convince your firewall that it
is under attack from the DNS.
This SonicWALL (appliance firewall)
has picked up the attack
but reported it rather than blocked it.
Desktop firewalls tend to block
so it is worth checking this out.
This can be done by doing a port scan or some other
attack but instead of having the attacker's IP address as
the source address, they substitute your DNS's IP
address(es). Your firewall sees the attack and blocks off
all traffic in both directions to the DNS and before you
know it, you cannot convert the domain name into an IP
unless it is stored locally.
To combat this:
- you can make IP specific statements in your
firewall configuration that will allow your DNS
servers keep in contact regardless of this type
- you can reduce the time of the denial or disable
the denial and put up with the extra processing
your firewall has to do, slowing it down (if that
turns out to be a problem - try it out first).
Choose your poison. That is, of course, if you only
use your own ISP's DNS servers. There is one way that
will get around this problem completely. If you have your
own ISP's DNS servers as the top servers in the list,
they will get all of the requests as they should.
However, if you include some other DNS servers, these
will (if they are configured to allow you to) replace the
service until your firewall will let the others online
Automatically downloading the web with wget.
If you don't want to sit up at night, waiting to
download your webcounter at a specific time, making sure
that you never miss one, even when you are on holiday,
you need to automate the process.
One way of finding the value of your web
counter is to open up the page in your browser and
refresh it when you need to look at the counter value.
Clearly, there are too many times when this is not
convenient so some other way has to be found of doing
this. One program that is usually part of Linux
installations is 'wget' which will download files (or
even whole sites or parts of sites) for you. You can
operate this from the command line and to check that you
have your command line configuration correct (ready to
put in the crontab), this is the best way of doing it. A
screenshot of the top of the manual pages for wget as
supplied with SuSE Linux is on the right and if you click
on the image, it will open up in full.
Once you have your command line so that you can download
the files you want, you can put that command line into
the crontab file.
# wget the fast counter image on Fridays and Sundays
# and put the image and the log in the /home/paul/wget/ directory
59 23 * * 5 paul wget --proxy=off http://counter.uri
-P /home/paul/wget -a /home/paul/wget/fc_log
59 23 * * 0 paul wget --proxy=off http://counter.uri
-P /home/paul/wget -a /home/paul/wget/fc_log
1 0 1 * * paul wget --proxy=off http://counter.uri
-P /home/paul/wget -a /home/paul/wget/fc_log
(Note that each line in the crontab file other than
the comment lines begins with the time data and that in
the real file, the line beginning with '-P' is a
same-line continuation of the above line displayed here,
ie '-P' comes after the counter URI.)
In the above crontab listing, the lines execute wget
as user 'paul' at 25:59 every Friday (5) and Sunday (0)
and at one minute past midnight on the first day of every
Windows does not come with all of these free programs but
wget is ported to Windows under the GPL -- all you need
to do is unzip the zip file (included on this months
SuperDisc - click here ... wget-1.9.1b-complete.zip)
perfect your command line and then get your computer to
execute it automatically.
Unfortunately, Windows is not blessed with an
easy-to-use crontab file. Instead, we have the scheduler
which can be found under
Start/Programs/Accessories/System Tools/Scheduled Tasks.
Instead of just adding a line or two to a file, we have
to work out way through a wizard, eventually finishing
with the desired result.
Click on the image on the right to see it full-size.
Phishing is a social engineering attack and, if the
figures are to be believed, it has a very high success
rate with around a quarter of recipients believing what
They come in a number of guises in html mail with or
without images. Either way, they need to convey the
impression that they are the genuine article but send the
victim off to some site other than the one that they
think they are going to. To do this, they either have an
image that looks like a web page but instead of just the
part of the image with the link being active, the whole
image is active, or, they use an innocent looking link.
In both cases, the user thinks that they are clicking on
one thing when in fact, they are being mislead.
In html text links, the apparent link can be different
which will look like this...
If you hover the mouse over the link, you will see
that the real URI appears in the left part of the status
bar of your browser (if you have it turned on). This can
be overcome with scripting and other browser-specific
methods so that it appears that the correct URI is being
pointed at. Also, there are ways of getting browsers to
display the secure (padlock) icon as well.
Text only phishing scams will get mail browsers that
have images turned off but have to get past anti-spam
programs. In the example below, you can see how this is
done (although not successful in this case).
In this case, all looks all right until you look a
little closer at it.
- Letter Substitution
- In order to get past the filtering, they have
used an uppercase 'I' instead of a lowercase 'L'
in 'Online', 'Please', 'follow' and so on.
- Poor Grammar
- 'As the Technical service of bank have ...'
should of course read '... Technical services
of the bank has
...'; '... otherwise your access to the system
may be blocked.' '... system may
be' should be 'system might
be ...'; '... to fill the form ...' should be
'... to fill in the
form ...' or '... to fill out
the form ...'
- No bank in its right mind would ask a user to
give away his UserID and password over an
insecure link as in the http://
link at the bottom. As a minimum, this should be https://
as that uses SSL. Actually, with vulnerabilities
in systems like this, you might as what are they
doing banking online any way?
If that is not enough to convince you, I then
highlighted it merely by dragging the mouse across it and
got the following...
You can now see all of the text that was written in
the same colour as the background - it is the text that
appears on the same coloured background (dragging the
mouse across it swaps the colours around the new
background is the old text colour and the new text colour
is the XOR of the old text colour so white text on white
background becomes black text on a white background and
so on). The spammer/phisher uses this to try to get it
through the spam filters by making it look like text that
the spam filter does not recognise.
Images, of course, cannot (yet) be analysed by text
monitoring software such as spam filters. These usually
appear as an attachment in a very sparse email that is
little more than a link in the image (the whole image).
They look like the collection below and if you click on
the image, you can see a full-screen montage in a new
As you can see, the images have random names. All the
phisher has to do is to set up a server, steal the images
from the bona fide website and get working. Soon, (s)he
will have people's account details. All the user can do
is refuse to co-operate with such requests. Banks know
that this route to resetting a user's account (if it ever
did need doing) is not usable and will not ask you to
participate in this. So, don't.
Last month, we looked at the humble spreadsheet and
saw how to do double entry book keeping using only one
function. Here, we take it a little further and make an
outright computer model, but again, if you look at the
files on the SuperDisc, you will see that the number of
functions that have been used is very small.
Thrown object ballistic flight computer model
Computer modelling is a lot easier than you would
think. Although I have been up to this since before
Chernobyl I still think that it is fairy easy for any
people who can apply themselves to it. My first computer
model was for a counter-current heat exchanger that I was
going to use as part of a model for a nuclear power
station game that I was writing. I had got all of the
cooling circuits, exchangers, pumps and everything
working fine and then Chernobyl happened so that was the
end of that. My second was for a chemical company I later
got a job with. I modelled a chemical reactor and local
plug-reaction circuit and immediately unearthed a fault
in the programme logic control sequence - correcting it
saved the company around 30,000 GBP per year. Since then
I have modelled all manner of things - go to Google and
look up 'water rockets'.
However, easy though it might be, it is even easier to
make mistakes. If you have gone straight to computer
program, it will be very difficult to track down. But,
with a spreadsheet, you can take each time slice and
allocate it a new row. In these cells, you can see if any
value is oscillating wildly or expanding exponentially.
It is all very visible. And here are the files you can
use to see the model described in this month's PC Plus
magazine in a number of popular file formats. Note that
the OOo file will open in Linux as well as Windows (or
any of the other supported operating systems).
|Lotus 1-2-3 97
Once you have a working spreadsheet
model, you can get down to programming it in your
favourite programming language.
Back to PC Plus Archive Index Page